From 20619e08ee35159c6a3f525645b7f357bff2ccc6 Mon Sep 17 00:00:00 2001
From: Alex Pott <alex.a.pott@googlemail.com>
Date: Wed, 15 Jul 2015 14:58:58 +0100
Subject: [PATCH] Issue #2522002 by pwolanin, fgm, znerol: Do not strip www.
from cookie domain by default because that leaks session cookies to
subdomains
---
core/lib/Drupal/Core/Session/SessionConfiguration.php | 6 ------
.../Drupal/Tests/Core/Session/SessionConfigurationTest.php | 2 +-
2 files changed, 1 insertion(+), 7 deletions(-)
diff --git a/core/lib/Drupal/Core/Session/SessionConfiguration.php b/core/lib/Drupal/Core/Session/SessionConfiguration.php
index 994b4b9249f3..a76b979460b2 100644
--- a/core/lib/Drupal/Core/Session/SessionConfiguration.php
+++ b/core/lib/Drupal/Core/Session/SessionConfiguration.php
@@ -129,12 +129,6 @@ protected function getCookieDomain(Request $request) {
}
else {
$host = $request->getHost();
-
- // Strip www. from hostname.
- if (strpos($host, 'www.') === 0) {
- $host = substr($host, 4);
- }
-
// To maximize compatibility and normalize the behavior across user
// agents, the cookie domain should start with a dot.
$cookie_domain = '.' . $host;
diff --git a/core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php b/core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php
index 4d6ef96974dc..59325eb1ee6e 100644
--- a/core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php
+++ b/core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php
@@ -51,7 +51,7 @@ public function testGeneratedCookieDomain($uri, $expected_domain) {
public function providerTestGeneratedCookieDomain() {
return [
['http://example.com/path/index.php', '.example.com'],
- ['http://www.example.com/path/index.php', '.example.com'],
+ ['http://www.example.com/path/index.php', '.www.example.com'],
['http://subdomain.example.com/path/index.php', '.subdomain.example.com'],
['http://example.com:8080/path/index.php', '.example.com'],
['https://example.com/path/index.php', '.example.com'],
--
GitLab